Chinese Hacker Group Is Back With Corporate Espionage Campaigns Targeting Western Organizations

Keyboy, a Chinese hacking group has reemerged with a new campaign of malware attack techniques, this time targeting numerous organizations in Western nations. The advanced persistent group has been operating out of China since 2013 and had previously targeted individuals and organizations in countries in Southeast Asia including Taiwan, Tibet, and the Philippines.

The new corporate espionage campaign by Keyboy, through their specialized malware alongside phishing emails, helps them spy, as well as steal from targets.

Now over the years, Chinese hackers were dubbed the most careless and noisiest in the cybercrime world. They have worldwide recognition stemming from their ruthless behavior of hacking anything they lay their hands on and making security systems look average. Also, they do not care about covering their tracks with little regard to stealth.

But with recent attacks, it seems they have been more careful and well organized, putting up sophisticated strategies to go after their choice of targets.

Instead of kicking down the front door, Chinese hacker groups have started to pick locks and operate in the shadows.

Tom Hegel, Senior Threat Researcher at 401TRG, speaking after the hack of the CCleaner app which is believed to have been carried out by a Chinese APT codenamed Axiom, stated that “there was indeed a decrease in activity of Chinese APTs following the pact.”

“They became more strategic and operate with improved tactics since then,” he added. “They were once very noisy with little care for operational security. These days it’s more strategically controlled.”

The last known activity by the hacker group, Keyboy came between August and October 2016, when they targeted the Tibetan parliament. Reports suggest that the hacker group went on ghost mode after that. However, they seem to be back with their sights set on corporations in the Western nations.

According to reports, Keyboy has created spy malware which enables them to perform malicious activities on infected computers secretly. The malware has numerous capabilities of which some include taking screenshots, equipped with keylogging features, and also can stroll through and download files of victims, gather extended system information about the machine and also shutting down infected systems.

Reports from researchers at a prominent security firm suggest that Keyboy hackers are in possession of a new payload and after analyzing it, found out that, it incorporates new techniques capable of replacing legitimate Windows binaries with a copy of the malware. The malware disables Windows File Protection which then enables the hackers to perform their malicious activities under the radar.

Synonymous to many espionage campaigns, this begins with emails and a malicious document and in the case analyzed by the security researchers, the bait here was a Microsoft Word document with the name “Q4 Work Plan.docx”.

The bait uses the DDE (Dynamic Data Exchange) protocol to locate and download a remote payload instead of delivering malicious macros or an exploit.

The attack is planned to prompt victims to update the malicious Word document delivered by the phishing email and once the victims fall for it and click on the update option, a malware dropper is served up and the malware eventually installed into the targets’ PC.

When the process is done running with the malware being installed, the initial DLL is deleted without any trace of the malicious fake and once the malware also disables Windows File Protection and its notification pop ups, system administrators won’t immediately notice that a legitimate DLL has been replaced.

The hackers are then at liberty to execute espionage campaigns they wish to once they gain access to the target system.

Researchers have stated that it is still unclear what type of organizations that the hacker group is now targeting with its latest campaign. There is still no clear indications as to if the hacker group is a state-backed organization or if they are just part of another cybercrime group.

Reports state that Keyboy has a “medium level of technical and operational know-how”.

Although Keyboy in their previous campaign targeted organizations in Southeast Asia, it has now turned their attention to conducting corporate espionage on organizations in the West and this may indicate a possible expansion of operations.

The term APT (advanced persistent threat), initially meant Asia-Pacific Threat, mainly because of the onslaught of Chinese hacks at the start of the 2000s, but is now used to describe hacker groups believed to be operating at orders and also under the protection of local governments.